[Freeswitch-users] Thoughts on security/code injection/etc. in FS when allowing user supplied data

[Nathan Neulinger]

I've noticed several places in FS code and examples where it isn't safe at all to take user supplied data.

An easy example is the use of mailer_app:


#ifdef WIN32
     switch_snprintf(buf, B64BUFFLEN, "\"\"%s\" -f %s %s %s < \"%s\"\"", runtime.mailer_app, from, 
runtime.mailer_app_args, to, filename);
#else
     switch_snprintf(buf, B64BUFFLEN, "/bin/cat %s | %s -f %s %s %s", filename, runtime.mailer_app, from, 
runtime.mailer_app_args, to);
#endif

another is ANY use of passing channel vars or data to a system or bgsystem command.


This isn't an issue normally, but if you want to give limited ability for users to control their own dial rules, then 
you wind up having to be very careful with processing the data to make sure it's safe. That's always a good idea, but it 
still seems like a bad idea to take that data and then directly use it in a completely unsafe context like a parsed 
command line.

For the voicemail notify case, seems like an easy answer would be something like a "vm-notify-hook", which at that 
point, could call out to lua or perl to do the actual sending in a safe manner, passing the recipient/sender/etc. as 
data instead of on cmd line.

For the 'passing channel vars...' case, I think it would be good to have a 'system_json' and 'bgsystem_json' set of 
routines that would pass channel data to the script on stdin in json format.

Regardless of implementation of either of those, I think it would be worthwhile to have a shell_escape() routine in the 
core utilities to allow the current syntax to be used more safely.

-- Nathan

------------------------------------------------------------
Nathan Neulinger                       nneul at mst.edu
Missouri S&T Information Technology    (573) 612-1412
System Administrator - Architect